What are Symantec's recommendations for using Symantec Endpoint Protection's (SEP) Application and Device Control (ADC) policies? How can ADC best be put into use? What practices should be avoided?
An Application and Device Control Policy controls the access to files, folders, registry keys, processes and DLLs. It can also allow or block access to hardware devices users plug into clients. For more in-depth information on the ADC policy see the Administration Guide for Symantec Endpoint Protection.
Application and Device Control configuration errors can disable a computer or a server. When you implement an Application and Device Control Policy, the client computer can fail or its communication with the Symantec Endpoint Protection Manager can be blocked.
Application and Device Control is an advanced security feature that only experienced administrators should configure.
Known Limitations of ADC
ADC and Threat Outbreaks
It is possible to use ADC to limit the spread of threats for which Symantec does not yet have Antivirus signatures. If the MD5 (unique identifier) of the suspicious file is known, a policy can be created to block that MD5. For full details please see How to use Application and Device Control to limit the spread of a threat.
Rule sets consist of rules and their conditions. A rule is a set of conditions and actions that apply to a given process or processes. A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task.
Create multiple rules and add them to a single application control rule set. Create as many rules and as many rule sets as needed to implement the desired protection, but be aware that serious performance issues arise from the use of rule sets of excessive length.
Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When there are multiple rules where the conditions are true, the top rule is the only one that is applied unless the action that is configured for the rule is to Continue processing other rules. Consider the order of the rules and their conditions when configuring them to avoid unexpected consequences.
When applying a condition to all entities in a particular folder, a best practice is to use folder name\* or folder name\*\*. One asterisk includes all the files and folders in the named folder. Use folder name\*\* to include every file and folder in the named folder, plus every file and folder in every sub-folder.
Note: A best practice is to use the Block Access action to prevent a condition rather than to use the Terminate Process action. Terminate Process kills the application that has made the request. The Terminate Process action should be used only in advanced configurations.
Note: When creating rules and conditions: remember that using complex regular expression ("regex") queries for matching may be much more CPU-intensive than plain string matching.
While there are no hard-coded limitations with regards to the number of conditions in policies, performance will be seriously impacted if policies are configured in an overly-complex manner. Please abide by the below recommendations on estimated limits.
If the Application Control rule sets or conditions are very large, they will cause several performance problems: